Sending messages from one Graylog server to another Graylog server over internet using gelf output(the messages should be encrypted)


Right! That’s my kind of ball game :slight_smile: Let me see what I can help you with…

  • When you’re building a TLS connection, the client side (the “output”) should be able to verify the server side’s (the “input”) certificate.
  • The server side will need a proper, valid certificate. Please don’t muck around on the Internet with self-signed certificates!
  • The server side’s certificate will issued by a CA (certificate authority). This can be your company’s own CA, both to save on money and to provide an extra hurdle for a MitM-attack.
  • The client side will need to have a “trust store”, which will tell it which CA’s it can trust. In this case, that trust store will only contain the cert of the CA that issued the server’s certificate.
  • Yes, on the client side you must specify TLS validation.
  • For added security, you can also enable TLS validation on the server’s side. This means that the sending side will need a certificate of its own, which is also issued by a trusted CA.

The config that’s required outside of Graylog is something I’ve documented in the following thread: